Device ID Question - Where is the device ID stored? And what are the priv/pub keys for?


#1

Hey Guys,

I just have one quick question, how is the Device ID stored on the Photon? Would it fused in via a OTP region? After completely erasing the entire Photon, including the boot loader, then getting it back up again, it still remembered my device ID.

One more question, what are the pub/priv keypair used for? As I understand there are 3 keys? The device priv and pub, and the server’s pubkey, I assume the server’s pubkey is for SSLing communication to and from the Particle Servers?


Xenon firmware on a Argon/Boron
#2

I’ll answer the second part: There are actually 4 keys, the 3 you listed, plus the server private key. The latter is secret and only known by Particle. Your private key is known only to the device, and never sent across the network. This is how [public key cryptography] (https://en.wikipedia.org/wiki/Public-key_cryptography) works and it allows the Photon/Electron device to know the server actually the Particle server, and the Particle server to know the device is actually the device that it claims to be, without ever sending the private secret keys across the network.


#3

So on the device we have 3 keys? The Device Private and Public keypair as well as the server public key.

Does anyone know what is the authentication process? I’m guessing the device signs data with the device private key. encrypts it with the server pubkey and sends it to the server, server decrypts and verifies signature, something like “Yes, I am Device ID: DEADFACE… and the username has claimed me”?


#4

Basically, yes. It’s standards-based: [CoAP] (http://coap.technology) over [DTLS] (https://tools.ietf.org/html/rfc6347).


#5

You can see some of this process in spark_protocol.cpp

int SparkProtocol::set_key(const unsigned char *signed_encrypted_credentials) {
...
  if (0 == verify_signature(signed_encrypted_credentials + 128,
                            server_public_key,
                            hmac))
  {
    memcpy(key,        credentials,      16);
    memcpy(iv_send,    credentials + 16, 16);
    memcpy(iv_receive, credentials + 16, 16);
    memcpy(salt,       credentials + 32,  8);
    _message_id = *(credentials + 32) << 8 | *(credentials + 33);
    _token = *(credentials + 34);

    unsigned int seed;
    memcpy(&seed, credentials + 35, 4);
    if (handlers.random_seed_from_cloud)
        handlers.random_seed_from_cloud(seed);
    else
        default_random_seed_from_cloud(seed);

    return 0;
  }
  else return AUTHENTICATION_ERROR;
 }
}
...

#6

Yes, and there’s also the open source implementation of the cloud software written in node.js, [local cloud server] (https://github.com/spark/spark-server) that allows you to look inside the server side and see exactly what’s going on.


#7

Ooooooo! I was about to ask that, can you use your own server, I’ll have a look at it, cheers Rick!